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tier 2 switch (which may be coupled directly to the Internet backbone, for example) 
and any of the tier 3 switches can be monitored by the virus monitors 102 at a 
point prior to any of the client devices. By providing a bulwark against a potential 
virus attack, ihe virus monitors 102 provide a focal point for virus detection, virus 
outbreak prevention, and, if needed, virus outbreak cleanup and restoration that, in 
turn, effectively protect the various client devices from the attacking virus. It 
should be noted, thai a docking port can be included in network 100 arranged 
to accept temporary, or visitor, client devices. 

iff^^M Please replace paragraph (^43^ with the following amended paragraph: 
fi^^ -{QQi^^ In the case where virus monitor 102 has detected a possible virus in 
one or more of the data packets (or m the case where a potential intruder attack is 
underway), virus monitor 102 generates an event flag. This event flag provides 
information based upon the detected virus using both the rules set 136 and the OPP 
file 135 as well as any other data deemed useful. Typically, the event flag is 
passed directly to the controller 126 which may, in some cases, forward the event 
flag to the server 138 for further analysis and/or disposition of any remedial 
actions, if any. This collaborative nature of the inventive virus monitoring system 
is well documented and described in co-pending U.S. Patent Application No. 
10/411>665 , Attorney Docket No. 87152491-002027 entitled, "MULTILEVEL 
VIRUS OUTBREAK ALERT BASED ON COLLABORATIVE BEHAVIOR" by 
Liang et al filed April 10> 2003 which is incorporated by reference herein in its 
entirety for all purposes. 

f)cU / Please replace paragraph 41U>9^ with the following amended paragraph: 
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In some cases, the even; flag represents a potential threat so severe 



that the operation mode of virus monitor 102 is immediately changed from the 
standby mode to what is referred to as the inline mode without intervention from 
the controller 126 as shown in FIG. S. In the inline mode, all data packets in the 
traffic flow Tl are analyzed without copying such that those data packets 
determined to be (or suspected of being) infected are not allowed to pass back into 
the traffic flow (in this case Tl is greater than T2). In this the virus is blocked 
from passing to and throughout network 100. In other instances where the event 
itself does not trigger virus monitor 1 02 to change operations mode to the inline 
mode, a mode change command &^ 502 from e khcr - the controller 126 or a mode 
change command 504 from the server 128 is used to trigger the mode change. In 
this, way, the inventive anti-virus system has the added advantage of delegating 
authority to the virus monitors in those situations where speed is of the essence to. 
contain a potential viral outbreak. On the other hand, in those cases where the 
threat is less clear» or further analysis is required, the onus of determining the 
threat potential and execution of a defense plan can be focused in higher level 
analysis engines (such as a system administrator^ for example) thereby reducing 
false alarms and unnecessary system shutdowns. 



Please replace paragraph with the following amended paragraph: 



viruses in the associated traffic tlow will dispatch a corresponding event report to 
the associated controller 126. The various controllers, in turn, will forward the 
various event reports to the server 128 where they will be collated and analyzed in 
order to determine if a virus warning 506 should be generated. In the case 





Therefore, each of ihc virus monitors 102 that have detected a virus or 
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